secmod: services create their own client dirs with correct permissions

src/util/crypto_helper_denom.c

@@ -228,29 +228,32 @@ TALER_CRYPTO_helper_denom_connect (
 
     if (GNUNET_OK !=
         GNUNET_CONFIGURATION_get_value_filename (cfg,
-                                                 "PATHS",
+                                                 "taler-exchange-secmod-rsa",
-                                                 "TALER_RUNTIME_DIR",
+                                                 "CLIENT_DIR",
                                                  &tmpdir))
     {
-      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
-                                 "PATHS",
+                                 "taler-exchange-secmod-rsa",
-                                 "TALER_RUNTIME_DIR");
+                                 "CLIENT_DIR");
-      tmpdir = GNUNET_strdup ("/tmp");
-    }
-    GNUNET_asprintf (&template,
-                     "%s/crypto-rsa-client/cli",
-                     tmpdir);
-    GNUNET_free (tmpdir);
-    if (GNUNET_OK !=
-        GNUNET_DISK_directory_create_for_file (template))
-    {
-      GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_ERROR,
-                                "mkdir",
-                                template);
-      GNUNET_free (dh);
-      GNUNET_free (template);
       return NULL;
     }
+    GNUNET_asprintf (&template,
+                     "%s/cli",
+                     tmpdir);
+    /* We expect the service to create the client directory */
+    if (GNUNET_OK !=
+        GNUNET_DISK_directory_test (tmpdir,
+                                    GNUNET_YES))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Unable to read secmod client directory (%s)\n",
+                  tmpdir);
+      GNUNET_free (dh);
+      GNUNET_free (template);
+      GNUNET_free (tmpdir);
+      return NULL;
+    }
+    GNUNET_free (tmpdir);
     dh->template = template;
     if (strlen (template) >= sizeof (dh->sa.sun_path))
     {

src/util/crypto_helper_esign.c

@@ -229,26 +229,33 @@ TALER_CRYPTO_helper_esign_connect (
 
     if (GNUNET_OK !=
         GNUNET_CONFIGURATION_get_value_filename (cfg,
-                                                 "PATHS",
+                                                 "taler-exchange-secmod-eddsa",
-                                                 "TALER_RUNTIME_DIR",
+                                                 "CLIENT_DIR",
                                                  &tmpdir))
     {
-      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_WARNING,
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
-                                 "PATHS",
+                                 "taler-exchange-secmod-eddsa",
-                                 "TALER_RUNTIME_DIR");
+                                 "CLIENT_DIR");
-      tmpdir = GNUNET_strdup ("/tmp");
-    }
-    GNUNET_asprintf (&template,
-                     "%s/crypto-eddsa-client/cli",
-                     tmpdir);
-    GNUNET_free (tmpdir);
-    if (GNUNET_OK !=
-        GNUNET_DISK_directory_create_for_file (template))
-    {
       GNUNET_free (esh);
-      GNUNET_free (template);
       return NULL;
     }
+    GNUNET_asprintf (&template,
+                     "%s/cli",
+                     tmpdir);
+    /* We expect the service to create the client directory */
+    if (GNUNET_OK !=
+        GNUNET_DISK_directory_test (tmpdir,
+                                    GNUNET_YES))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Unable to read secmod client directory (%s)\n",
+                  tmpdir);
+      GNUNET_free (esh);
+      GNUNET_free (template);
+      GNUNET_free (tmpdir);
+      return NULL;
+    }
+    GNUNET_free (tmpdir);
     esh->template = template;
     if (strlen (template) >= sizeof (esh->sa.sun_path))
     {

src/util/taler-exchange-secmod-eddsa.c

@@ -1522,6 +1522,45 @@ run (void *cls,
     return;
   }
 
+  /* Create client directory and set permissions. */
+  {
+    char *client_dir;
+
+    if (GNUNET_OK !=
+        GNUNET_CONFIGURATION_get_value_filename (kcfg,
+                                                 "taler-exchange-secmod-eddsa",
+                                                 "CLIENT_DIR",
+                                                 &client_dir))
+    {
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                                 "taler-exchange-secmod-eddsa",
+                                 "CLIENT_DIR");
+      global_ret = 3;
+      return;
+    }
+
+    if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Can't create client directory (%s)\n",
+                  client_dir);
+      global_ret = 3;
+      return;
+    }
+    /* Set sticky group bit, so that clients will be writeable by the current service. */
+    if (0 != chmod (client_dir,
+                    S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Can't set permissions for client directory (%s)\n",
+                  client_dir);
+      global_ret = 3;
+      return;
+    }
+
+    GNUNET_free (client_dir);
+  }
+
   if (GNUNET_OK !=
       GNUNET_CONFIGURATION_get_value_filename (kcfg,
                                                "taler-exchange-secmod-eddsa",

src/util/taler-exchange-secmod-eddsa.conf

@@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-eddsa/
 # Where does the helper listen for requests?
 UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-eddsa.sock
 
+# Directory for clients.
+CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-eddsa-client
+
 # Where should the security module store it's private key?
 SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-eddsa/.private-key
 

src/util/taler-exchange-secmod-rsa.c

@@ -1896,6 +1896,45 @@ run (void *cls,
     return;
   }
 
+  /* Create client directory and set permissions. */
+  {
+    char *client_dir;
+
+    if (GNUNET_OK !=
+        GNUNET_CONFIGURATION_get_value_filename (kcfg,
+                                                 "taler-exchange-secmod-rsa",
+                                                 "CLIENT_DIR",
+                                                 &client_dir))
+    {
+      GNUNET_log_config_missing (GNUNET_ERROR_TYPE_ERROR,
+                                 "taler-exchange-secmod-rsa",
+                                 "CLIENT_DIR");
+      global_ret = 3;
+      return;
+    }
+
+    if (GNUNET_OK != GNUNET_DISK_directory_create (client_dir))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Can't create client directory (%s)\n",
+                  client_dir);
+      global_ret = 3;
+      return;
+    }
+    /* Set sticky group bit, so that clients will be writeable by the current service. */
+    if (0 != chmod (client_dir,
+                    S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP | S_ISGID))
+    {
+      GNUNET_log (GNUNET_ERROR_TYPE_ERROR,
+                  "Can't set permissions for client directory (%s)\n",
+                  client_dir);
+      global_ret = 3;
+      return;
+    }
+
+    GNUNET_free (client_dir);
+  }
+
   if (GNUNET_OK !=
       GNUNET_CONFIGURATION_get_value_filename (kcfg,
                                                "taler-exchange-secmod-rsa",

src/util/taler-exchange-secmod-rsa.conf

@@ -13,6 +13,9 @@ KEY_DIR = ${TALER_DATA_HOME}/crypto-rsa/
 # Where does the helper listen for requests?
 UNIXPATH = $TALER_RUNTIME_DIR/taler-exchange-secmod-rsa.sock
 
+# Directory for clients.
+CLIENT_DIR = $TALER_RUNTIME_DIR/secmod-rsa-client
+
 # Where should the security module store it's private key?
 SM_PRIV_KEY = ${TALER_DATA_HOME}/taler-exchange-secmod-rsa/.private-key